CVE-2026-5772 · A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the

01 · The Real Story

This is a paper cut on the lock inspector, not a master key for the building

CVE-2026-5772 is a 1-byte stack buffer over-read in MatchDomainName() inside wolfSSL src/internal.c, triggered during wildcard hostname validation when LEFT_MOST_WILDCARD_ONLY is active. Authoritative affected range is wolfSSL up to and including 5.9.0; the fix lands in 5.9.1. To hit it, an attacker has to drive the victim into the wildcard certificate-name matching path and supply a pattern/hostname combination where * consumes the remaining hostname so the code reads one byte past the end.

The supplied MEDIUM 5.3 rating reflects the NVD CVSS v3.1 view, but in real deployments that overstates the risk. wolfSSL itself classifies it LOW under CVSS v4.0, and that matches reality better: this is a tiny over-read with crash potential only, no demonstrated code execution, and it sits behind a specific client-side certificate validation path rather than a broad unauthenticated server attack surface.

"This is a crash-only edge case in a narrow client validation path, not a fleet-wide fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Place a malicious TLS endpoint in the client’s path

The attacker needs a custom TLS server or MITM position to feed the client a crafted certificate name pattern that reaches wolfSSL hostname validation. In practice this is a tlsfuzzer-style harness or custom server, not an off-the-shelf wormable exploit. This already implies either the victim connects to attacker-controlled infrastructure or the attacker has a network interception foothold.

Conditions required:

Victim application uses wolfSSL for certificate hostname validation
Attacker can operate a malicious server or sit in a MITM position
The client actually attempts a TLS connection to that endpoint

Where this breaks in practice:

This is client-side reachability, not a generic internet-exposed daemon flaw
Modern PKI, pinned endpoints, egress controls, and sane destination allowlists cut the reachable population hard
Many embedded wolfSSL deployments do not expose an easy attacker-driven arbitrary outbound TLS path

Detection/coverage: Network scanners will not reliably find this. Detection is mostly architectural: SBOM/SCA, package inventory, firmware component inventory, and targeted code-path review.

STEP 02

Hit the exact wildcard validation branch

The crafted certificate name must drive execution into MatchDomainName() with the LEFT_MOST_WILDCARD_ONLY flag active. That is a narrower precondition than 'uses wolfSSL' because the vulnerable behavior only exists in a specific wildcard hostname-matching scenario during certificate validation.

Conditions required:

Hostname verification is enabled
LEFT_MOST_WILDCARD_ONLY behavior is in play
Wildcard matching is reached during validation

Where this breaks in practice:

Not every wolfSSL consumer uses this validation mode
Some products pin certificates or names and never exercise this wildcard path
Server-side wolfSSL use is common, but this bug matters when the validation logic is actually invoked

Detection/coverage: No signature-grade scanner coverage for the branch condition. Expect false confidence from generic 'wolfSSL present' findings because presence does not equal reachability.

STEP 03

Trigger the 1-byte over-read

Once the wildcard consumes the remaining hostname, the vulnerable loop can compare the remaining pattern against an exhausted buffer and read one byte past the end. The fix in PR #10119 adds a guard so processing stops when the string length reaches zero. This is a memory-safety bug, but a very constrained one.

Conditions required:

Crafted hostname/pattern edge case is accepted up to the compare point
Victim is running wolfSSL 5.9.0 or earlier

Where this breaks in practice:

The read is only 1 byte
No public evidence shows exploitability beyond process instability/crash
Modern compilers, stack layout variation, and surrounding application error handling further reduce dependable impact

Detection/coverage: Dynamic testing or ASan-enabled builds can catch it. Production EDR is unlikely to produce a clean, high-confidence signal unless the process crashes.

STEP 04

Land limited impact

The realistic outcome is availability impact at most: process abort, crash, or connection failure in the client/application using wolfSSL. There is no source-backed path to confidentiality loss, integrity loss, or remote code execution here. For enterprise prioritization, that keeps this in backlog territory unless the affected client is extremely mission-critical.

Conditions required:

Application reacts poorly to the malformed validation path
A crash or abort materially affects service delivery

Where this breaks in practice:

Single-client or per-process blast radius is small
Many applications will just drop the connection rather than materially degrade operations
No KEV listing, no observed campaigns, no public weaponization

Detection/coverage: Watch for crash telemetry, segfaults, core dumps, and abnormal TLS handshake failures in clients linked against vulnerable wolfSSL versions.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation found in the reviewed sources, and not listed in CISA KEV.
PoC availability	No public standalone exploit located. The closest thing is the vendor fix PR, which notes it was tested with a provided reproducer.
EPSS	0.00046 (user-supplied), which is extremely low and consistent with a niche, low-impact memory-safety edge case.
KEV status	Absent from CISA KEV; no federal remediation due date exists because it is not cataloged there.
CVSS reality check	NVD shows CVSS v3.1 5.3 / MEDIUM (`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`), but the CNA/vender record shows CVSS v4.0 2.1 / LOW with attack requirements present and passive user interaction. The vendor view fits the exploit chain better.
Affected versions	wolfSSL <= 5.9.0 is affected; NVD CPE marks versions before 5.9.1 as vulnerable.
Fixed versions	wolfSSL 5.9.1 fixes it. Debian shows forky/sid fixed at 5.9.1-0.1, while bullseye/bookworm/trixie were still tracked as vulnerable or postponed in the reviewed tracker snapshot.
Exposure / scanning reality	This is a library bug, not a cleanly fingerprintable internet service flaw. Shodan/Censys-style counts are mostly noise here because exposure depends on products that bundle wolfSSL and whether they actually invoke this wildcard validation path.
Disclosure	Published 2026-04-09; report credited to Zou Dikai.
Reachability choke points	Requires client-side certificate hostname validation, wildcard matching, and the `LEFT_MOST_WILDCARD_ONLY` code path. Each prerequisite narrows the real exposed population.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.4/10)

The decisive factor is reachability friction: an attacker usually needs a malicious TLS server or MITM position and must still hit a narrow wildcard-validation branch in client code. Even then, the demonstrated effect is only a 1-byte over-read with at-most crash impact, which is not the profile of a high-priority enterprise patch emergency.

HIGH Technical impact is limited to low-grade availability risk

MEDIUM Real-world deployment reachability across wolfSSL consumers

Why this verdict

Start below the NVD baseline: the vendor/CNA scored this LOW 2.1 CVSS v4.0, and that is closer to the actual exploit chain than the NVD MEDIUM 5.3 v3.1 score.
Attacker position requirement: this is effectively a client-side attack that usually needs a malicious TLS endpoint or MITM position, which implies a prior foothold or user/application steering.
Narrow reachable population: only deployments that hit MatchDomainName() with wildcard hostname validation and LEFT_MOST_WILDCARD_ONLY active are exposed, which is a major downward pressure on severity.
Impact ceiling stays low: the flaw is a 1-byte stack over-read with source-backed crash potential only; there is no demonstrated RCE, no confidentiality loss, and no integrity loss.
Threat intel is quiet: no KEV, no campaign reporting, no public exploit tooling found, and the supplied EPSS 0.00046 is bottom-barrel.

Why not higher?

It is not higher because the attack chain is not broadly reachable from the internet in the way the NVD vector suggests. The bug also lacks a credible path to code execution or data theft; the documented outcome is a possible crash from a 1-byte over-read in a narrow validation edge case.

Why not lower?

It is not IGNORE because this is still a real memory-safety defect in a cryptographic library used across embedded and appliance ecosystems. If you run wolfSSL in a mission-critical client role, a remotely triggerable crash path through TLS validation still deserves routine remediation and inventory attention.

05 · Compensating Control

What to do — in priority order.

Inventory wolfSSL consumers — Identify binaries, packages, containers, firmware images, and third-party products bundling wolfSSL so you know whether you even have exposure. For a LOW verdict there is no SLA (treat as backlog hygiene), but do this during the next normal library/firmware review so hidden copies in appliances do not linger forever.
Constrain outbound trust paths — Prioritize destination allowlists, certificate pinning, and tightly scoped egress for applications that use wolfSSL as a client. Those controls reduce the chance a client ever talks to an attacker-controlled TLS endpoint; for LOW, apply as backlog hygiene rather than as an emergency control.
Prefer vendor firmware with wolfSSL 5.9.1+ — Where wolfSSL is embedded in products, the practical fix is often a vendor firmware update rather than a direct library patch. Queue those updates in the next routine maintenance cycle because LOW has no mitigation SLA and no hard remediation SLA beyond backlog hygiene.

What doesn't work

A WAF or edge IPS will not reliably help because the vulnerable logic lives in the client/library validation path, not a simple HTTP request surface.
Internet exposure counts alone do not tell you risk here; this is a library flaw and banner-based search engines cannot tell whether the vulnerable wildcard path is reachable.
Generic EDR exploit signatures are weak coverage because there is no stable public exploit chain and the likely symptom is just a crash or aborted handshake.

06 · Verification

Crowdsourced verification payload.

Run this on the Linux target host or appliance shell that may have wolfSSL installed. Invoke it as bash check_wolfssl_cve_2026_5772.sh or point it at a specific library file like bash check_wolfssl_cve_2026_5772.sh /usr/lib/libwolfssl.so; root is not usually required, but helps if library paths are restricted.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_wolfssl_cve_2026_5772.sh
# Detect likely exposure to CVE-2026-5772 on Linux targets.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

TARGET_PATH="${1:-}"
FIXED_VERSION="5.9.1"
FOUND_VERSION=""
SOURCE=""

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

normalize_version() {
  echo "$1" | sed -E 's/^v//; s/[^0-9.].*$//'
}

try_pkg_config() {
  if command -v pkg-config >/dev/null 2>&1 && pkg-config --exists wolfssl 2>/dev/null; then
    pkg-config --modversion wolfssl 2>/dev/null | head -n1
    return 0
  fi
  return 1
}

try_dpkg() {
  if command -v dpkg-query >/dev/null 2>&1; then
    dpkg-query -W -f='${Version}\n' libwolfssl* wolfssl 2>/dev/null | grep -E '[0-9]' | head -n1
    return 0
  fi
  return 1
}

try_rpm() {
  if command -v rpm >/dev/null 2>&1; then
    rpm -qa | grep -Ei '^wolfssl(-libs)?-' | sed -E 's/^.*-([0-9][A-Za-z0-9.+:~_-]*)$/\1/' | head -n1
    return 0
  fi
  return 1
}

try_apk() {
  if command -v apk >/dev/null 2>&1; then
    apk info -e wolfssl >/dev/null 2>&1 && apk info -v wolfssl 2>/dev/null | head -n1 | sed -E 's/^wolfssl-//'
    return 0
  fi
  return 1
}

try_opkg() {
  if command -v opkg >/dev/null 2>&1; then
    opkg list-installed 2>/dev/null | awk '/^libwolfssl|^wolfssl/ {print $3; exit}'
    return 0
  fi
  return 1
}

try_strings_on_file() {
  local f="$1"
  [ -r "$f" ] || return 1
  strings "$f" 2>/dev/null | grep -Eo 'wolfSSL[^0-9]*v?[0-9]+\.[0-9]+\.[0-9]+' | head -n1 | grep -Eo 'v?[0-9]+\.[0-9]+\.[0-9]+'
}

if [ -n "$TARGET_PATH" ]; then
  FOUND_VERSION="$(try_strings_on_file "$TARGET_PATH")"
  FOUND_VERSION="$(normalize_version "$FOUND_VERSION")"
  if [ -n "$FOUND_VERSION" ]; then
    SOURCE="strings:$TARGET_PATH"
  fi
fi

if [ -z "$FOUND_VERSION" ]; then
  v="$(try_pkg_config || true)"
  v="$(normalize_version "$v")"
  if [ -n "$v" ]; then FOUND_VERSION="$v"; SOURCE="pkg-config"; fi
fi

if [ -z "$FOUND_VERSION" ]; then
  v="$(try_dpkg || true)"
  v="$(normalize_version "$v")"
  if [ -n "$v" ]; then FOUND_VERSION="$v"; SOURCE="dpkg"; fi
fi

if [ -z "$FOUND_VERSION" ]; then
  v="$(try_rpm || true)"
  v="$(normalize_version "$v")"
  if [ -n "$v" ]; then FOUND_VERSION="$v"; SOURCE="rpm"; fi
fi

if [ -z "$FOUND_VERSION" ]; then
  v="$(try_apk || true)"
  v="$(normalize_version "$v")"
  if [ -n "$v" ]; then FOUND_VERSION="$v"; SOURCE="apk"; fi
fi

if [ -z "$FOUND_VERSION" ]; then
  v="$(try_opkg || true)"
  v="$(normalize_version "$v")"
  if [ -n "$v" ]; then FOUND_VERSION="$v"; SOURCE="opkg"; fi
fi

if [ -z "$FOUND_VERSION" ]; then
  for f in /usr/lib*/libwolfssl.so* /usr/local/lib*/libwolfssl.so* /lib*/libwolfssl.so*; do
    [ -e "$f" ] || continue
    v="$(try_strings_on_file "$f")"
    v="$(normalize_version "$v")"
    if [ -n "$v" ]; then
      FOUND_VERSION="$v"
      SOURCE="strings:$f"
      break
    fi
  done
fi

if [ -z "$FOUND_VERSION" ]; then
  echo "UNKNOWN - wolfSSL version could not be determined from package manager metadata or library strings"
  exit 2
fi

if ver_lt "$FOUND_VERSION" "$FIXED_VERSION"; then
  echo "VULNERABLE - wolfSSL $FOUND_VERSION detected via $SOURCE; CVE-2026-5772 affects versions before $FIXED_VERSION"
  exit 1
else
  echo "PATCHED - wolfSSL $FOUND_VERSION detected via $SOURCE; fixed version threshold is $FIXED_VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not burn your scarce emergency patch capacity on this one. Validate whether wolfSSL is even present in your fleet, then fold wolfSSL 5.9.1+ or the equivalent vendor firmware into the next normal maintenance cycle, prioritizing externally connected clients and appliances you can actually update; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so document the risk, patch routinely, and spend this week on issues with active exploitation or easier unauthenticated reachability instead.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.